fbpx

Your smartphone is surprisingly vulnerable to viruses and malware. But you can protect yourself.

BARCELONA — The smartphone industry has given birth to a vibrant growth sector distinguished by its creativity, drive and entrepreneurship. Unfortunately, that sector is malware.

Conversations with security professionals here at Mobile World Congress, the world’s largest mobile tech show, provided a dismaying, but necessary, reminder that the computers in our pockets are targets for authors of malware and other scams — and that many of us don’t care about those risks.

“The amount of thought that consumers are giving to security is almost nonexistent,” said Gary Davis, chief consumer security evangelist at Intel (INTL).

App anxiety

The major malware risk on smartphones remains downloading a hostile app that tries to compromise your data or run up your phone bill. The best advice to avoid such threat is to stick to the Google (GOOG, GOOGL) Play Store instead of downloading apps from third-party stores or off the Web.

The fact that Google screens its Play Store apps makes the risk of malware there “dramatically less than a third-party app store, by far,” said Davis. Still, the Play Store isn’t immune from crooks.

Last month, for instance, the Slovakian security firm ESET found a trojan app on the Play Store disguised as a world weather app. Google yanked the app after ESET notified the company.

“We encounter these things … I would say every couple of months,” said ESET chief technical officer Juraj Malcho. The risk of downloading malware on iOS is vanishingly small in comparison to Android, thanks in part to the strict limits Apple (AAPL) places on how apps interact with the operating system.

A recent report by Intel’s McAfee subsidiary noted a related issue: Many customers still have copies of apps on their devices that have long since been removed from the Play Store. The report urged more notification and disclosure when apps are taken out of the marketplace.

Read the reviews, please

But many users may ignore those alerts if an app looks legit. The McAfee report noted an example of a photo app that silently signed users up for premium text messaging services — and yet still earned a 3.5 out of 5 rating on the Play Store.

ESET’s Malcho said he wished people would look past apps’ ratings and instead check users’ comments. “Many times, we encounter clear reviews in the text, ‘Don’t install this,’ ‘this is bloody malware,’ and people install it anyway.”

Some of the countries represented at MWC don’t have access to the Play Store, because their governments block Google. That leaves those users subject to whatever defenses their local app store alternatives offer.

Niloofar Amini, business developer at Tehran-based Cafe Bazaar, said his Iranian firm has a dedicated review team to assess and re-assess apps. Of course, the company also has to ensure that titles comply with the Islamic Republic’s morality laws and limits on political speech.

If you’re in China? Good luck. Intel’s Davis described app stores there as “just riddled” with malware.

Good and bad news on phones

The show floor provides one reason for optimism about the state of Android security: fingerprint sensors. When even cheap, unlocked phones like the $229 Moto G5 Plus can be unlocked via its fingerprint sensor, we should begin to see more people securing their phones.

Today, a disturbingly high number — 28 percent of Americans, according to a Pew Research Center study released in January — don’t lock their phones at all. Without that, a stolen phone can easily be wiped and resold … after the thief abuses all the personal data on it.

“Let’s stop calling it a phone,” said Raj Samani, Intel Security’s chief technical officer for Europe, the Middle East and Africa. “It’s not even a computing device — it is our digital passport.”

Unfortunately, most of the devices on the floor don’t run the latest version of Android, which can leave them open to security holes. Demo units of Samsung’s new Tab S3 tablet, LG’s G6, Moto’s G5 Plus and HTC’s (headphone jack-deprived) U Ultra all ran Google’s Android 7.0, which shipped in August, not its subsequent updates.

The new Nokia 5 was a refreshing exception, showing the current 7.1.1 release and security patches current through March 1 — but that phone hasn’t been announced for the U.S. market yet.

Meanwhile, the majority of Android phones run older versions that lack the stronger security of 7.0, and the stricter control of apps added in 2015’s Android 6.0. Intel’s Samani called those “brownfield” devices, after the term developers use for environmentally contaminated sites that they sometimes must build on.

ESET’s Malcho mused out loud about a more extreme fix for that brownfield-phone problem: “Make the device so it dies in two years.”

Source : Yahoo.com

Categorized in Internet Privacy

Remember that last time you posted a picture on Facebook and it automatically suggested to tag other people on the photo? Nothing unusual. You’ve tagged these people before, right? You’ve trained the machine learning face-recognition algorithm. And now Facebook can spot where they are on your picture.

 

Now, even if you refuse to tag anyone, this doesn’t mean Facebook never stores this information somewhere. Like, “person A is potentially present on picture B”. Actually, I’m almost 100% sure they do store it. Hell, I would if I was them.

I bet you already see where I’m going with this.

Now imagine you take a selfie in a crowded place. Like an airport or a train station. There are some people walking on the background. Hundreds of them. Some of them facing the camera. Guess what: the Facebook’s AI has just spotted them.

Even if you’re extremely cautious, even if you never post anything on Facebook, even if you have “location services” disabled on your phone at all times etc. etc. Facebook still knows where you are. You can’t stop other people from taking selfies in an airport.

Now all these Jason Bourne movies don’t look so ridiculous any more, do they? All the stupid scenes with people in a control room shouting “OK, we need to find this guy, quick, oh, there he is, Berlin Hauptbahnhof arrival hall just 20 minutes ago, send the asset!” or something like that.

“DeepFace”

This is not just me being paranoid. Various sources indicate that

Facebook uses a program it calls DeepFace to match other photos of a person. Alphabet Inc.’s cloud-based Google Photos service uses similar technology.

The efficiency is astonishing

According to the company’s research, DeepFace recognizes faces with an accuracy rate of 97.35 percent compared with 97.5 percent for humans — including mothers

Face recognition is being built into surveillance systems and law enforcement databases for a while now.

We could soon have security cameras in stores that identify people as they shop (source)

Even being in “readonly” mode doesn’t help

Every time you simply check Facebook without actually posting anything — the app generates a post draft for you, ever saw this? If you have a link or a picture saved in your clipboard, it even offers to attach that to your post. And of course, it has your location.

How can you be sure, it does not communicate that data to the servers?

Actually, I’m pretty sure it does since the app generates that “preview image” of the link stored in your clipboard (you know, that nicely formatted headline with the cover image).

There’s even more. Some evidence suggests that Facebook collects your keystrokes before you actually hit the “Post” button! If you then choose to backspace everything you’ve typed — too late…

Facebook has about 600 terabytes of data coming in on a daily basis (source, 2014).

If I was NSA I would definitely approach Facebook for this data.

UPDATE: a little privacy tip: use Facebook in mobile Safari, with an adblocker, and delete the iOS native app — helps a lot AND saves you from tons of ads and 3rd party cookie tracking. Not to mention wonders for the battery. I’m sure there’s a similar solution for Android.

On a desktop — use an extension like Disconnect to block 3rd party cookie tracking.

Author : Alex Yumashev

Source : https://medium.com/@jitbit/facebook-is-terrifying-8dc4a016b64b#.w0mdkcfp1

Categorized in Social

We know that our smartphones are capable of doing just about anything which our desktops can do these days. But all too often, we don’t protect our smartphones nearly as well as we protect our computers.

Hackers are just as capable of breaking into your smartphone and they can do all sorts of damage to you once they are in. As 60 Minutes shows, a hacker could break into your phone and find out who you are calling, where you are, and even listen in on your conversations and read your texts. There is the recent incident where several Democratic staffers recently had their phones attacked by foreign hackers looking to uncover private information.

But while there is no such thing as the perfect protection, implementing protection protocols can help keep your phone safe. Upon seeing even simple protections, most hackers will just move on and search for another less-protected phone. Here are a few things which you can do to keep your phone safe.

1. Keep your Phone safe

You may think of hackers as nerds sitting in some basements inputting some complicated program. But that is not the biggest threat to your phone. Your biggest threat is an ordinary thief who snatches your phone, escapes, and then cracks your password to find what is inside.

So the first step to protecting your phone is to do the same things which you should be doing to protect against thieves. Be aware of your environment when you are using your smartphone. Keep an eye out for suspicious individuals, and grip your phone with both hands so it is harder for the thief to rip it away. Also, back up your mobile data to your computer so that you can easily access it if your phone gets stolen.

2. Don’t use your Phone for everything

One of the biggest reasons why hackers try to go after your phone is so that they can uncover sensitive information such as banking information and passwords. But if you don’t have that sort of data on your phone, then there is nothing for the hacker to uncover.

Obviously, you need certain private information on your phone. But what about something like banking information or work-related affairs? Do you really need to check that information now, or can it wait until you get home and check it on your computer?

Avoid accessing confidential information whenever possible, especially if you are using public Wi-Fi. Also regularly clear your browsing history and caches so that hackers have less information to find.

3. Update your phone

Hacking is a war between hackers and software companies. The hackers find loopholes, software companies fix the holes, the hackers find more holes, and so on. But in order to fix those holes, you have to keep your phone updated so that the earlier holes are filled in.

This is particularly important because less competent hackers have to rely on those holes which other hackers have uncovered to get your information. The longer you choose to not update your phone, the more the opportunity to break in and uncover your information.

4. Look into encryption

There are a lot of people out there who think that encryption and password protection are the same thing. This is incorrect. Encryption scrambles your phone’s data so that even if the hacker just hacks your phone while bypassing the password request (and they can do that), the data will be completely illegible. Just look at the recent controversy between Apple and the FBI on breaking into a terrorist’s Apple phone, and that should give an idea of how hard it can be to break into an encrypted phone.

Encryption can do a lot to protect your phone’s data and the good news is that all iPhones and newer Android versions come with their phone automatically encrypted once you set a password (tip: set a password for your phone). But if you have an older version, you will have to encrypt it yourself by going into the security section of your phone’s settings.

5. Be careful using public Wi-Fi and Bluetooth

Public Wi-Fi and Bluetooth are easy to use, but they are an easy gateway for hackers to get into your mobile phones. As CNN notes, hackers can trick your phones into connecting to spoof Wi-Fi or Bluetooth accounts which just end up sending all your cell phone’s data right to the hacker. Hackers can also take advantage of vulnerabilities in Bluetooth software as another way into your cellphone.

So try to rely on your phone’s 4G network instead of Wi-Fi or Bluetooth, and never let your phone automatically connect to public Wi-Fi hotspots. If you do, then it is possible for hackers to realize your phone is connected and hack in even while you have no idea that your phone is connecting to the Wi-Fi network in the first place.

Author: Michael Prywes
Source: http://www.lifehack.org/466933/5-expert-security-tips-for-your-smartphone

Categorized in Internet Privacy

WHETHER IT WAS a billion compromised Yahoo accounts or state-sponsored Russian hackers muscling in on the US election, this past year saw hacks of unprecedented scale and temerity. And if history is any guide, next year should yield more of the same.

It’s hard to know for certain what lies ahead, but some themes began to present themselves toward the end of 2016 that will almost certainly continue well into next year. And the more we can anticipate them, the better we can prepare. Here’s what we think 2017 will hold.

Consumer Drones Get Weaponized

Given how frequently the US has used massive flying robots to kill people, perhaps it’s no surprise that smaller drones are now turning deadly, too—this time in the hands of America’s enemies. In October the New York Times reportedthat in the first known case, US-allied Kurdish soldiers were killed by a small drone the size of a model airplane, rigged with explosives. As drones become smaller, cheaper, and more powerful, the next year will see that experiment widened into a full-blown tactic for guerrilla warfare and terrorism. What better way to deliver deadly ordnance across enemy lines or into secure zones of cities than with remote-controlled accuracy and off-the-shelf hardware that offers no easy way to trace the perpetrator? The US government is already buying drone-jamming hardware. But as with all IEDs, the arms race between flying consumer grade bombs and the defenses against them will likely be a violent game of cat-and-mouse.

Another iPhone Encryption Clash

When the FBI earlier this year demanded that Apple write new software to help crack its own device—the iPhone 5c of dead San Bernadino terrorist Rizwan Farook—it fired the first shots in a new chapter of the decades-long war between law enforcement and encryption. And when it backed off that request, saying it had found its own technique to crack the phone, it only delayed any resolution. It’s only a matter of time until the FBI or other cops make another legal demand that an encryption-maker assist in cracking its protections for users, setting the conflict in motion again. In fact, in October the FBI revealed in October that another ISIS-linked terrorist, the man who stabbed ten people in a Minnesota mall, used an iPhone. Depending on what model iPhone it is, that locked device could spark Apple vs. FBI, round two, if the bureau is determined enough to access the terrorist’s data. (It took three months after the San Bernadino attack for the FBI’s conflict with Apple to become public, and that window hasn’t passed in the Minnesota case.) Sooner or later, expect another crypto clash.

Russian Hackers Run Amok

Two months have passed since the Office of the Director of National Intelligence and the Department of Homeland Security stated what most of the private sector cybersecurity world already believed: That the Kremlin hacked the American election, breaching the Democratic National Committee and Democratic Congressional Campaign Committee and spilling their guts to WikiLeaks. Since then, the White House has promised a response to put Russia back in check, but none has surfaced. And with less than a month until the inauguration of Putin’s preferred candidate—one who has buddied up to the Russian government at every opportunity and promised to weaken America’s NATO commitments—any deterrent effect of a retaliation would be temporary at best. In fact, the apparent success of Russia’s efforts—if, as CIA and FBI officials have now both told the Washington Post, Trump’s election was the hackers’ goal—will only embolden Russia’s digital intruders to try new targets and techniques. Expect them to replicate their influence operations ahead of elections next year in Germany, the Netherlands, and France, and potentially to even try new tricks like data sabotage or attacks on physical infrastructure.

A Growing Rift Between the President and the Intelligence Community

Though the US intelligence community—including the FBI, NSA, and CIA—has unanimously attributed multiple incidents of political hacking to Russian government-sponsored attackers, President-elect Donald Trump has remained skeptical. Furthermore, he has repeatedly cast doubt on digital forensics as an intelligence discipline, saying things like, “Once they hack, if you don’t catch them in the act you’re not going to catch them. They have no idea if it’s Russia or China or somebody.” Trump has also caused a stir by declining daily intelligence briefings. Beyond just the current situation with Russia, Trump’s casual dismissal of intelligence agency findings is creating an unprecedented dissonance between the Office of the President and the groups that bring it vital information about the world. Current and former members of the intelligence community told WIRED in mid-December that they find Trump’s attitude disturbing and deeply concerning. If the President-elect permanently adopts this posture, it could irrevocably hinder the role of intelligence agencies in government. President Obama, for one, says he is hopeful that the situation is temporary, since Trump has not yet felt the full responsibility of the presidency. “I think there is a sobering process when you walk into the Oval Office,” Obama said recently in a press conference. “There is just a whole different attitude and vibe when you’re not in power as when you are in power.” If Trump does eventually embrace the intelligence community more fully, the next question will be whether it can move on from what has already transpired.

DDoS Attacks Will Crash the Internet Again (And Again, And Again)

This was the year of Internet of Things botnets, in which malware infects inconspicuous devices like routers and DVRs and then coordinates them to overwhelm an online target with a glut of internet traffic, in what’s known as a disrupted denial of service attack (DDoS). Botnets have traditionally been built with compromised PCs, but poor IoT security has made embedded devices an appealing next frontier for hackers, who have been building massive IoT botnets. The most well-known example in 2016, called Mirai, was used this fall to attack and temporarily bring down individual websites, but was also turned on Internet Service Providers and internet-backbone companies, causing connectivity interruptions around the world. DDoS attacks are used by script kiddies and nation states alike, and as long as the pool of unsecured computing devices endlessly grows, a diverse array of attackers will have no disincentive from turning their DDoS cannons on internet infrastructure. And it’s not just internet connectivity itself. Hackers already used a DDoS attack to knock out central heating in some buildings in Finland in November. The versatility of DDoS attacks is precisely what makes them so dangerous. In 2017, they’ll be more prevalent than ever.

Ransomware Expands Its Targets

Ransomware attacks have become a billion-dollar business for cybercriminals and are on the rise for individuals and institutions alike. Attackers already use ransomware to extort money from hospitals and corporations that need to regain control of their systems quickly, and the more success attackers have, the more they are willing to invest in development of new techniques. A recent ransomware version called Popcorn Time, for example, was experimenting with offering victims an alternative to paying up—if they could successfully infect two other devices with the ransomware. And more innovation, plus more disruption, will come in 2017. Ransomware attacks on financial firms have already been rising, and attackers may be emboldened to take on large banks and central financial institutions. And IoT ransomware could crop up in 2017, too. It may not make sense for a surveillance camera, which might not even have an interface for users to pay the ransom, but could be effective for devices that sync with smartphones or tie in to a corporate network. Attackers could also demand money in exchange for ceasing an IoT botnet-driven DDoS attack. In other words, ransomware attacks are going to get bigger in every possible sense of the word.

Author: WIRED STAFF
Source: https://www.wired.com/2017/01/biggest-security-threats-coming-2017

Categorized in Internet Privacy

 

Why hack Android devices one at a time when you can infect local Wi-Fi access points with an Android Trojan and use DNS hijacking to hack every device connected to that network?

Researchers at Kaspersky Lab reported their encounter with a new type of Android malware, which they call "Trojan.AndroidOS.Switcher" and which is doing almost exactly that: Once it wakes up and determines it's on a targeted wireless network, the malware runs a brute force attack on the local Wi-Fi router password. If successful, the malware resets the default domain name system (DNS) servers to its own servers. From there, almost any kind of attack is possible on other devices or systems connected to that network.

"Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network," wrote Nikita Buchka, mobile malware analyst at Kaspersky, in a blog post. The new Android Trojan gains access to the router by a brute-force password-guessing attack on the router's admin web interface. "If the attack succeeds, the malware changes the addresses of the DNS servers in the router's settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals -- such an attack is also known as DNS hijacking."

Because devices usually reset their default DNS server configuration to reflect the defaults configured in the local Wi-Fi router, this new Android Trojan can force devices connected through the router to point to rogue DNS servers under the control of the attacker. The result, Buchka wrote, is that "after gaining access to a router's DNS settings, one can control almost all the traffic in the network served by this router."

If successfully installed on a router, Buchka wrote, the Switcher malware can expose users to "a wide range of attacks" such as phishing schemes. "The main danger of such tampering with routers' [settings] is that the new settings will survive even a reboot of the router, and it is very difficult to find out that the DNS has been hijacked," he wrote. "Even if the rogue DNS servers are disabled for some time, the secondary DNS, which was set to 8.8.8.8, will be used, so users and/or IT will not be alerted."

By setting the secondary DNS server to Google's DNS service, located at IP address 8.8.8.8, the attackers ensure that even if their own malicious DNS server is unavailable, users won't experience any outage.

Once in place on a user's Android device, Switcher checks for the local wireless network's basic service set identifier -- the MAC address of the local network's access point -- and reports it to the Trojan's command and control network before going to work on brute-forcing, and reconfiguring, the router. The malware also attempts to identify which internet service provider is being used so that it can reconfigure the router to use one of three rogue DNS servers, and then it runs the brute-force attack on the router's web interface for system administration.

The Kaspersky researchers reported two versions of the Android Trojan: One masquerading as a mobile client for the Chinese search engine Baidu, and the other a fake version of another popular Chinese app used to share Wi-Fi access information. Based on its analysis of input field names hardcoded in the malware, as well as the structure of HTML files the Android Trojan attempts to access, Kaspersky judged that Switcher affects only TP-LINK Wi-Fi routers.

The actor responsible for Switcher piggybacked its command and control system on top of a website it set up to promote its fake Wi-Fi access app; according to Kaspersky, the site also includes an infection counter for Switcher. Kaspersky reported that 1,280 Wi-Fi networks had been successfully infiltrated. Kaspersky recommended users check their DNS configurations to see if any of the rogue DNS servers (101.200.147.153, 112.33.13.11 and 120.76.249.59) have been configured. If a network has been infected, the attack can be mitigated by resetting the DNS server configuration and resetting the default router administration password; the attack can also be prevented by changing the default user ID and password for administering vulnerable routers.

 

Author: Peter Loshin
Source: http://searchsecurity.techtarget.com/news/450410127/Switcher-Android-Trojan-targets-routers-with-rogue-DNS-servers

 

 

Categorized in Internet Privacy

What do you see as the major security threats in the coming 5-10 yrs as PC sales have declined and mobile nodes or IOT devices will explode? originally appeared on Quora – the knowledge sharing network where compelling questions are answered by people with unique insights.

Answer by Mikko Hypponen, CRO at F-Secure, on Quora:

Smartphones are actually much more secure than computers. They have fairly bad privacy problems, but from a security point of view, they are clearly superior to computers. This is mostly because of the app store model, as you can’t just run random programs.

We have seen security problems and malware on smartphones, but they are typically related to users sideloading apps from third party sources or rooting their devices by themselves.

IoT headaches have already started. One thing we are forecasting is that home IoT devices will more and more become “the way in”, or the weak link in the chain. Attackers might not be able to break into your home network via your computers, but they might be able to break in via your IoT coffee machine.And, one day we will see IoT ransomware. Imagine ransomware on your smart car: “Pay 2 Bitcoins if you want to pick up the kids from the daycare in time.”

Source : http://www.forbes.com/sites/quora/2016/12/27/the-internet-of-things-is-coming-and-its-bringing-security-headaches/#3d13bc17d468

Categorized in Internet of Things

2016 was the banner year for cyber security – and not in a good way. But what does 2017 have in store?

There is no denying that 2016 was a big year for cybercrime. From the Bank of Bangladesh/SWIFT heist in February to the Dyn DDoS attack a few weeks ago, there was plenty of proof that hackers are getting smarter and their innovation is on a growth trajectory.

If there is one good thing derived from these hacks, it is that they have made alarm bells ring loud and true for consumers and organisations alike. This is the starting point for five cyber security predictions for the year ahead.

1. Consumers will prioritise security when deciding which companies to do business with

Following high-profile data breaches in 2016, including Yahoo and Three Mobile, consumers are more anxious than ever about the downstream financial crime that follows a cyber attack.

As the realisation of what a criminal can achieve once they have taken our data sinks in, consumers are beginning to demand guarantees that their services providers are safe.

In 2017, a trend will emerge around customers wanting to understand more about the security of the organisations they do business with.

Just as companies promote ‘seals of approval’ for accomplishments like being ‘green’, promoting gender equality or having accident-free workplaces, customers will look for some sort of seal of assurance that the companies they do business with have a strong cybersecurity posture.

In fact, Ofcom has recently highlighted that broadband providers such as BT are worse at customer service than financial services providers and must do more to deliver a reliable internet connection.

2. Consumers will take ownership of their own cybersecurity

The great doorbell hack of 2016 kicked off the year with a loud ding-dong. Hackers have figured out that smart home devices, such as doorbells and refrigerators, are gateways to home Wi-Fi networks and email logins.

Similarly, to how they developed new and more inventive scams to get hold of consumers’ data in the ‘90s, this is just the beginning of consumer-targeted cybercrime.

As people add more Internet of Things (IoT) devices to their smart homes and take more of their daily affairs online, the security of their online environment will become even more important.

In 2017, new services will emerge that allow consumers to evaluate their own cyber security as they work to protect their data and savings from criminals, and strive to take ownership of our cybersecurity.

3. Consumers and businesses will acknowledge the threat potential of IoT devices

Beyond hacked doorbells and refrigerators, certain IoT devices, like self-driving cars, can present serious security threats. Expect more attacks to follow, especially as it is currently easier for a hacker to create an IoT botnet to compromise a device than it is to phish for data in traditional ways. There is a serious lack of security features in the code developed for IoT devices which needs to be addressed.

Due to the risk some of these devices pose to human life, it should be no surprise to hear that the security of IoT coding will come under stricter scrutiny than ever before.

As IoT devices become widely used by businesses and individuals alike, people and organisations will make security considerations a priority in their decisions to use smart devices, not an afterthought.

4. Businesses will assess the cyber security of their own and partners’ networks

Led by the Office of the Comptroller of the Currency (OCC) directive requiring banks to manage risks – including cybersecurity risk – in their third-party relationships, companies in all industries will start paying a lot more attention to their business partners’ cybersecurity posture in 2017.

 

Most businesses have large and complex networks of partners, suppliers, vendors and other stakeholders with whom they exchange information on a regular basis. This means that the web of risk is incredibly wide, and a security breach in any link of the chain can expose the entire network.

Boardrooms across all industries have brought concerns about partner network security to the top of their agenda, so in 2017 we will see growth in the adoption of tools that assess risk across the entire network and bring a company’s security status to the forefront for partners, enterprises, and insurers.

5. Biometric security data may become the biggest security vulnerability of all

It started with the innovative Apple TouchID, developed to make it easier for consumers to unlock their phones. But, in 2016, we have seen biometric identification go mainstream – even three year old kids’ fingerprints are being captured when they visit Disney World.

Many believe that biometric security data is safer than digit-based passwords and, if used correctly, it may be so. However, in the wrong hands, biometric security data also has explosive potential.

In the aftermath of the compromise of 5.6 million US government military, civilian and contractor personnel fingerprints, Eva Velasquez, CEO of the Identity Theft Resource Center, explained that stolen fingerprints may be a big problem in the future.

This is especially the case if biometric technology is used to verify bank accounts, home security systems and even travel verifications.

Author:  Ben Rossi

Source:  http://www.information-age.com/5-cyber-security-predictions-2017-123463528

Categorized in Internet Privacy

NOT SO LONG ago, the internet represented a force for subversion, and WIRED’s list of the most dangerous people on the internet mostly consisted of rebellious individuals using the online world’s disruptive potential to take on the world’s power structures. But as the internet has entered every facet of our lives, and governments and political figures have learned to exploit it, the most dangerous people on the internet today often are the most powerful people.

A Russian dictator has evolved his tactics from suppressing internet dissent to using online media for strategic leaks and disinformation. A media mogul who rose to prominence on a wave of hateful bile now sits at the right hand of the president. And a man who a year ago was a reality television star and Twitter troll is now the leader of the free world.

Vladimir Putin

Since experts pinned the Democratic National Committee breach in July on two teams of hackers with Russian-state ties, the cybersecurity and US intelligence community’s consensus has only grown: Russia is using the internet to screw with America’s electoral politics. The Russian hack of the Democratic National Committee and the Democratic Congressional Campaign Committee, followed by the leak of those groups’ private communications, injected chaos and distraction into the Democratic party at a crucial moment in the electoral season, and may have even helped tip the scales for Trump.

Even before those Russian hackers’ handiwork came to light, Putin’s government was already hard at work poisoning political discourse online. Its armies of paid trolls have been busy injecting false stories into online discussion forums, attacking the Kremlin’s critics on Twitter and in the comments of news sites. Taken together, that hacking and trolling makes Putin’s government one of the world’s most malevolent forces for disinformation and disruption online. And if anything, recent events have only emboldened them.

Donald Trump

When WIRED compiled its list of the internet’s most dangerous people in 2015, we called Trump a “demagogue, more interested in inciting backward fears and playing to Americans’ worst prejudices than addressing global problems.” None of that has changed. Trump still hasn’t officially renounced his promises of a ban on Muslim immigration or apologized for calling Mexican immigrants rapists. Now, he’s weeks away from becoming President of the United States.

As President-elect, Trump has continued to act as the world’s most powerful internet troll, telling his 17.6 million Twitter followers that anyone who burns the American flag should be unconstitutionally imprisoned and have their citizenship revoked, and arguing, with no evidence, that millions of fraudulent votes were cast in an election that he won. Trump’s Twitter account telegraphs his apparent disregard for the Constitution, spreads disinformation on a massive scale, and has baselessly called America’s electoral process into question.

Steve Bannon

Before Steve Bannon joined Donald Trump’s campaign as CEO, he was already in Trump’s corner as the publisher of the righter-than-right wing news site Breitbart.com. During his tenure running that site, Breitbart published the racist, anti-semitic and overtly misogynist content that made it the paper of record for the bigoted new political fringe known as the alt-right. Now, as the chief strategist for Trump’s transition team coming presidency, he stands to bring that fascist agitprop perspective into the White House itself.

James Comey

In the weeks before November’s election, FBI Director James Comey cemented his already controversial reputation by revealing that his agents would continue the investigation into Hillary Clinton’s private email server, after previously setting it aside in July. He did not explain anything about what a newly found trove of emails entailed, or why they might be significant (they weren’t). That half-clue was all the Trump campaign and its surrogates needed to start a wildfire of speculation, and even to claim that Clinton would be imminently indicted (she wasn’t).

But even before Comey’s unwarranted insertion of the FBI into the most sensitive political moment of a tense election, the FBI head had led the federal government’s war on encryption to a dangerous standoff: demanding that Apple write code to help the bureau crack its own device, the locked iPhone 5c of San Bernadino killer Rizwan Farook. That six-week battle, which finally ended in the FBI finding its own method of breaking into the phone, showed Comey’s willingness to compromise Americans’ cybersecurity and privacy in the interests of surveillance, and put a lasting strain on Silicon Valley’s relationship with the FBI.

ISIS

The pseudo-religious apocalyptic cult known as the Islamic State may be losing money, resources, and ground on its home turf in Iraq and Syria. But its tendrils still extend throughout the web and social media. The group showed in 2016 that it can still reach lone, disaffected, and even mentally ill people to inspire tragic acts of violence. Even as its direct power crumbles, ISIS’s propaganda this year contributed to horrific massacres from the Bastille Day truck attack in Nice to the Pulse night club shootings in Orlando. And unlike the rest of the individuals on this list, ISIS’ danger comes from what social media extremism expert Humera Khan calls “the ISIS Borg collective.” The deaths of dozens of top ISIS commanders in 2016, in other words, hasn’t dulled the group’s message.

Milo Yiannopoulos

The Breitbart columnist Milo Yiannpoulos in 2016 illustrated everything that’s wrong with Twitter. Not simply his role as an “alt-right troll”—a polite term for a race-baiting, misogynistic, immoral fame-monger. Yiannopoulos graduated from awful ideas to actual targeted abuse, gleefully turning his hordes of followers on targets like actress and comedian Leslie Jones, who thanks to Yiannopolous was drowned in so much nakedly racist, sexist abuse that she temporarily quit the site. Twitter eventually banned him, a decision Yiannopolous lauded as only increasing his fame. And there are plenty more people who still espouse his ideas on the platform. But it will at least keep his vile statements confined to the darker corners of the internet, where they belong.

Recep Tayyip Erdoğan

For a brief moment this summer, the world feared that a military coup would topple Turkey’s elected president Recep Tayyip Erdoğan. Then it watched in horror as Erdoğan used that failed coup to justify a internet and media crackdown rarely, if ever, seen in modern democracies. More than a hundred Turkish journalists have since been jailed, and access has been intermittently throttled or cut to Twitter, Facebook, YouTube, and WhatsApp. In response to protests that have since embroiled the country, Erdoğan’s regime has at times cut off internet access entirely to millions of Turks, denying them both the means to assemble and spread dissident information, as well as basic services.

Julian Assange

Julian Assange proved in 2016 that even from the two-room de facto prison of London’s Ecuadorean embassy, it’s possible to upend the powers-that-be. In WikiLeaks’ most influential and controversial moves since it first rose to national attention in 2010, Assange masterminded the leaks of emails from the Democratic National Committee and the email account of Hillary Clinton campaign staffer John Podesta. Never mind that those leaks appeared to come not from internal whistleblowers but from external hackers, believed by US intelligence agencies to be on Russia’s payroll. Assange has denied that his source is Russian. But it’s a curious claim: WikiLeaks is designed to guarantee sources’ anonymity, so that even he can’t identify them. He also promises those sources he’ll “maximize the impact” of their leaks. And in this election, he kept his promise.

Peter Thiel

After supporting Donald Trump’s campaign financially and vocally, Peter Thiel ended this year as arguably the most influential person in Silicon Valley, literally sitting at the left hand of the president-elect in the tech industry’s meeting with him earlier this month. The intelligence contractor Palantir, which he co-founded, will no doubt rise with him, and its powers for privacy-piercing analysis could become more broadly applied within America’s intelligence and law enforcement agencies than ever before.

But we’ll leave all that for next year’s “most dangerous” list. Thiel’s real demonstration of his power in 2016 came in the form of Hulk Hogan’s lawsuit against Gawker, which the tech billionaire was revealed to have funded. The suit effectively wiped one of his personal enemies off the internet—which, as Thiel has calmly explained, was his goal. Given that win for censorship, his role on the Trump transition team, and Trump’s promise to “open up” libel laws, Gawker may just be the canary in the First Amendment coal mine.1

Source : https://www.wired.com/2016/12/dangerous-people-internet-2016/

Categorized in News & Politics

No security posture is absolute. Rather than attempting to prevent a security breach, organisations should implementing strong plans for what to do when one takes place

These days, data breaches are an all too common occurrence. Barely a week goes by without another high-profile attack taking place. With increasing legislation and regulatory requirements coming into play, these announcements are likely to become more prominent.

There’s much advice given about how to reduce the risk of an attack and the different preventative measures that organisations can put in place. However, with new technologies and routes of entry for attackers, preventive measures alone are not enough.

In order to ensure all bases are covered, organisations need to be prepared with a solid security incident response plan. When an incident occurs, it will ensure everyone knows exactly what to do to minimise the impact to their organisation.

Many organisations lack incident response plans for the same reason most people don’t get travel insurance before going on holiday, or check their tyre pressure before driving long distances.

Most people don’t think about these things until it’s too late. Developing and implementing a security incident response plan can be time consuming and often costly – two things most organisations do not have.

Without a response plan, incidents can escalate quickly and the impact can be severe. An incident response plan gives organisations a much better chance of isolating and controlling an incident in a timely and cost effective manner.

A recent incident response survey uncovered concerns by IT professionals about their organisation’s security incident response plans. A quarter of respondents were not confident in their organisation’s security response plan.

Despite this continued lack of confidence, respondents understood the significant impact of a breach upon their organisations, with reputational damage topping the list at 56%.

When asked why they thought an organisation would not have a response plan in place, lack of awareness within organisations came out on top with 38% of respondents highlighting this as an issue.

This was followed by a lack of resources (23%), lack of skills or expertise (18%), lack of budget (12%), other (nine%) and lack of time (five%). Coming from IT professionals, the perceived lack of awareness when it comes to incident response plans is worrying.

So, the worst has happened and your organisation has suffered a security breach. What are the first things you need to do to ensure that your risk is minimised?

1. Triage

Don’t panic – it may be a natural reaction, but it doesn’t solve anything. Avoid the temptation to simply pull the plug or turn the machines off. Directly after a breach, things often seem worse than they are. Your main goal should be business continuity.

To do this, it’s important to establish the nature and extent of the incident. Is it something that has been seen before, such as a common ant-virus incident? If so what steps need to be taken to control the impact of the incident?

It’s crucial to closely manage any communication about the security breach to customers and beyond. Many security breaches are broken by news outlets watching social media feeds.

Make sure you have a dedicated team in place for crisis communications and keep track of all customer interactions. This will help you better manage public relations following the incident.

2. Data analysis

Carefully analysing the data involved in the incident is crucial to understanding what actually happened. It may sound simple too many security breaches are misdiagnosed early on, resulting in incorrect remedial actions. For example, diagnosing a DDOS attack when a completely different failure has occurred or prepping for a data corruption incident when it’s actually ransomware.

Understand what happened and how. If this is something that you don’t have the time or resources to manage in your organisation, call in cyber security experts to help you figure out what happened.

By assigning an expert to handle the incident, you can be sure the responsibility of incident management and coordination is taken care of, so that you can focus on getting your organisation back to its normal state of operation.

3. Communication

One of the biggest issues we see with incident response is a lack of internal communication – from board level down. Depending on the type of incident, it may be that communication with the rest of the organisation and external bodies such as third-party agencies, customers and regulatory authorities is necessary.

If that is the case, it’s important to ensure communication only occurs through the pre-planned and established channels.

Communication cannot just take place after the incident. It needs to be an on-going process throughout the organisation.

Regardless of their job function, when a security incident occurs, everyone needs to be fully trained and aware of their role and responsibilities.

Putting security incident playbooks in place for each department can be one way to keep staff aware of what they are and are not allowed to do in the wake of a breach.

As outlined in step one, taking charge of your communication channels is crucial. You should be the one to decide when and how news of the breach is disseminated to various parties. This will help minimise the impact of the incident and fan any flames.

4. Resolve and recover

Assuming the incident handler and the technical team assigned to the incident has control, you should be on the way to resolving the issue and heading towards recovery.

The road to recovery may involve rolling back disaster recovery (DR) applications, beginning to restore data from backups or simply closing the incident. Whatever the situation, the incident will not be properly resolved until all recovery actions are complete.

5. Lessons learned

Following an incident, organisations can be quick to fall back into routine. It’s important that you learn from every security incident to minimise the risk of it taking place in the future.

Ask yourself; what can we implement to better protect ourselves? If this happens again, have we done enough to minimise the risk and disruption? Does everyone know their role and are they aware of the role they play in keeping the organisation secure?

Source : http://www.information-age.com/7-ways-cyber-attacks-will-evolve-2017-123463538/

Categorized in Business Research

APPLE EMERGED AS a guardian of user privacy this year after fighting FBI demands to help crack into San Bernardino shooter Syed Rizwan Farook’s iPhone. The company has gone to great lengths to secure customer data in recent years, by implementing better encryption for all phones and refusing to undermine that encryption.

But private information still escapes from Apple products under some circumstances. The latest involves the company’s online syncing service iCloud.

Russian digital forensics firm Elcomsoft has found that Apple’s mobile devices automatically send a user’s call history to the company’s servers if iCloud is enabled — but the data gets uploaded in many instances without user choice or notification.

“You only need to have iCloud itself enabled” for the data to be sent, said Vladimir Katalov, CEO of Elcomsoft.

The logs surreptitiously uploaded to Apple contain a list of all calls made and received on an iOS device, complete with phone numbers, dates and times, and duration. They also include missed and bypassed calls. Elcomsoft said Apple retains the data in a user’s iCloud account for up to four months, providing a boon to law enforcement who may not be able to obtain the data either from the user’s phone, if it’s encrypted with an unbreakable passcode, or from the carrier. Although large carriers in the U.S. retain call logs for a year or more, this may not be the case with carrier outside the US.

It’s not just regular call logs that get sent to Apple’s servers. FaceTime, which is used to make audio and video calls on iOS devices, also syncs call history to iCloud automatically, according to Elcomsoft. The company believes syncing of both regular calls and FaceTime call logs goes back to at least iOS 8.2, which Apple released in March 2015.

And beginning with Apple’s latest operating system, iOS 10, incoming missed calls that are made through third-party VoIP applications like Skype, WhatsApp, and Viber, and that use Apple CallKit to make the calls, also get logged to the cloud, Katalov said.

Because Apple possesses the keys to unlock iCloud accounts, U.S. law enforcement agencies can obtain direct access to the logs with a court order. But they still need a tool to extract and parse it.

Elcomsoft said it’s releasing an update to its Phone Breaker software tool today that can be used to extract the call histories from iCloud accounts, using the account holder’s credentials. Elcomsoft’s forensic tools are used by law enforcement, corporate security departments, and even consumers. The company also leases some of its extraction code to Cellebrite, the Israeli firm the FBI regularly uses to get into seized phones and iCloud data.

In some cases, Elcomsoft’s tool can help customers access iCloud even without account credentials, if they can obtain an authentication token for the account from the account holder’s computer, allowing them to get iCloud data without Apple’s help. The use of authentication tokens also bypasses two-factor authentication if the account holder has set this up to prevent a hacker from getting into their account, Elcomsoft notes on its website.

Apple’s collection of call logs potentially puts sensitive information at the disposal of people other than law enforcement and other Elcomsoft customers. Anyone else who might be able to obtain the user’s iCloud credentials, like hackers, could potentially get at it too. In 2014, more than 100 celebrities fell victim to a phishing attack that allowed a hacker to obtain their iCloud credentials and steal nude photos of them from their iCloud accounts. The perpetrator reportedly used Elcomsoft’s software to harvest the celebrity photos once the accounts were unlocked.

Generally, if someone were to attempt to download data in an iCloud account, the system would email a notification to the account owner. But Katalov said no notification occurs when someone downloads synced call logs from iCloud.

Apple acknowledged that the call logs are being synced and said it’s intentional.

“We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices,” an Apple spokesperson said in an email. “Device data is encrypted with a user’s passcode, and access to iCloud data including backups requires the user’s Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication.”

The syncing of iCloud call logs would not be the first time Apple has been found collecting data secretly. A few months ago, The Intercept reported about similar activity occurring with iMessage logs.

Chris Soghoian, chief technologist for the American Civil Liberties Union, said he’s not surprised that Apple is collecting the information.

“It’s arguably not even the worst thing about iCloud,” he told The Intercept. “The fact that iCloud backs up what would otherwise be end-to-end encrypted iMessages is far worse in my mind. There are other ways the government can obtain [call logs]. But without the backup of iMessages, there may be no other way for them to get those messages.”

Still, he said it’s further proof that “iCloud really is the Achilles heel of the privacy of the iPhone platform. The two biggest privacy problems associated with iCloud don’t have check boxes [for users to opt out], nor do they require that you opt in either.”

Jonathan Zdziarski, an iOS forensics expert and security researcher, said he doesn’t think Apple is doing anything nefarious in syncing the call logs. But he said that Apple needs to be clear to users that the data is being collected and stored in the cloud.

Authorized and Unauthorized iCloud Collection

iCloud is Apple’s cloud service that allows users to sync data across multiple Apple devices, including iPhones, iPads, iPods, and Macs. The iPhone menu corresponding to the service gives users the option of syncing mail, contacts, calendars, reminders, browser history, and notes and wallet data. But even though call logs are automatically getting synced as well, the menu does not list them among the items users can choose to sync. Because there’s no way to opt in to sync call logs, there is also no way to opt out — other than turning off iCloud completely, but this can cause other issues, like preventing apps from storing documents and data (such as WhatsApp backups) in the cloud.

“You can only disable uploading/syncing notes, contacts, calendars, and web history, but the calls are always there,” Katalov said. One way call logs will disappear from the cloud is if a user deletes a particular call record from the log on their device; then it will also get deleted from their iCloud account during the next automatic synchronization.

Katalov said they’re still researching the issue but it appears that in some cases the call logs sync almost instantly to iCloud, while other times it happens only after a few hours.

In addition to syncing data among their devices, users can also configure their iCloud account to automatically back up and store their data. Katalov said that call logs get sent to the cloud with these backups as well, but this is separate from the trafficking his company discovered: Even if users disable the backups, their call logs will still get synced to Apple’s servers.

“I would suggest Apple to add a simple option to disable call log syncing, as they do that for calendars and other things,” Katalov told The Intercept, though he acknowledges this would likely take some re-architecting on Apple’s part. Nonetheless, he says, “They should allow people to disable that if they want to.”

Even as Apple has increased the security of its mobile devices in recent years, the company has been moving more and more data to the cloud, where it is less protected. Although iCloud data is encrypted on Apple’s server, Apple retains the encryption keys in almost every instance and can therefore unlock the accounts and access data for its own purposes or for law enforcement.

“All of your [iCloud] data is encrypted with keys that are controlled by Apple, but the average user isn’t going to understand that,” Zdziarski said. “You and I are well aware that Apple can read any of your iCloud data when they want to.”

A report in the Financial Times nine months ago indicated Apple plans to re-architect iCloud to resolve this issue and better protect customer data, but that has yet to occur.

Apple discusses the privacy implications of iCloud collection on its website and does say that implementing backups will send to iCloud “nearly all data and settings stored on your device.” A 63-page white paper on the site discloses more clearly that call logs get uploaded to Apple servers when iCloud backups are enabled. But neither document mentions that the logs still get uploaded even if backups aren’t enabled.

Even in an online document about handling legal requests from law enforcement, Apple never mentions that call logs are available through iCloud. It says that it possesses subscriber information that customers provide, including name, physical address, email address, and telephone number. It also says it retains IP connection logs (for up to 30 days), email metadata (for up to 60 days), and content that the user chooses to upload, such as photos, email, documents, contacts, calendars, and bookmarks. The law enforcement document also says that Apple’s servers have iOS device backups, which may include photos and videos in the user’s camera roll, device settings, application data, iMessages, SMS and MMS messages, and voicemail.

The only time it mentions call logs is to say that iCloud stores call histories associated with FaceTime, but it says it maintains only FaceTime call invitation logs, which indicate when a subscriber has sent an invitation to someone to participate in a FaceTime call. Apple says the logs “do not indicate that any communication between users actually took place.” It also says it only retains these logs for “up to 30 days.”

But Elcomsoft said this is not true. Katalov said the FaceTime logs contain full information about the call, including the identification of both parties to the call and the call duration. He said his researchers also found that the FaceTime call logs were retained for as long as four months.

Early Clues From Frustrated Apple Customers

Some users are aware that their call logs are being synced to Apple’s servers, because a byproduct of the automatic syncing means that if they have the same Apple ID as someone with a different device — for example, spouses who have different phones but use the same Apple ID — they will see calls from one device getting synced automatically to the device of the other person who is using the same ID.

“It’s very irritating,” one user complained in a forum about the issue. “My wife and I both have iPhones, we are both on the same apple ID. When she gets a call my phone doesn’t ring but when she misses that call my phone shows a missed call icon on the phone app and when I go to the phone app it’s pretty clearly someone who wasn’t calling my phone. Any way to fix this so it stops?”

Another user expressed frustration at not knowing how to stop the syncing. “I use my phone for business and we have noticed in the last few days that all of the calls I make and receive are appearing in my wife’s iPhone recent call history? I have hunted high and low in settings on both phones but with no joy.”

There’s no indication, however, that these customers realized the full implications of their logs being synced — that the same data is being sent to and stored on Apple’s servers for months.

Apple isn’t the only company syncing call logs to the cloud. Android phones do it as well, and Windows 10 mobile devices also sync call logs by default with other Windows 10 devices that use the same Microsoft account. Katalov said there are too many Android smartphone versions to test, but his company’s research indicates that call log syncing occurs only with Android 6.x and newer versions. As with Apple devices, the only way for a user to disable the call history syncing is to disable syncing completely.

“In ‘pure’ [stock versions of] Android such as one installed on Nexus and Pixel devices, there is no way to select categories to sync,” Katalov said. “For some reason, that is only able on some third-party Android versions running on Sony, HTC, Samsung, etc.” The company already produces a tool for harvesting call logs associated with Android devices.

There’s little that subscribers can do to prevent law enforcement from obtaining their iCloud call logs. But to protect against hackers who might obtain their Apple ID from doing the same, they can use two-factor authentication. But Zdziarski said there’s another solution.

“The takeaway really is don’t ever use iCloud. I won’t use it myself until I can be in control of the encryption keys,” he said.

Source : https://theintercept.com

Auhtor : 

Categorized in Social
Page 4 of 5

AOFIRS

World's leading professional association of Internet Research Specialists - We deliver Knowledge, Education, Training, and Certification in the field of Professional Online Research. The AOFIRS is considered a major contributor in improving Web Search Skills and recognizes Online Research work as a full-time occupation for those that use the Internet as their primary source of information.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.